Summary
The internet has made it easier than ever to share information, but at the same time it has increased our ability to track that information. In order to ensure that news agencies are able to accept truly anonymous material submissions from whistelblowers, the Freedom of the Press foundation has supported the ongoing development and maintenance of the SecureDrop platform. In this episode core developers of the project explain what it is, how it protects the privacy and identity of journalistic sources, and some of the challenges associated with ensuring its security. This was an interesting look at the amount of effort that is required to avoid tracking in the modern era.
Announcements
- Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
- When you’re ready to launch your next app or want to try a project you hear about on the show, you’ll need somewhere to deploy it, so take a look at our friends over at Linode. With 200 Gbit/s private networking, scalable shared block storage, node balancers, and a 40 Gbit/s public network, all controlled by a brand new API you’ve got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. Go to pythonpodcast.com/linode to get a $20 credit and launch a new server in under a minute. And don’t forget to thank them for their continued support of this show!
- You listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers you don’t want to miss out on this year’s conference season. We have partnered with organizations such as O’Reilly Media, Dataversity, Corinium Global Intelligence, and Data Council. Upcoming events include the O’Reilly AI conference, the Strata Data conference, the combined events of the Data Architecture Summit and Graphorum, and Data Council in Barcelona. Go to pythonpodcast.com/conferences to learn more about these and other events, and take advantage of our partner discounts to save money when you register today.
- Your host as usual is Tobias Macey and today I’m interviewing Jen Helsby and Kushal Das about SecureDrop, a secure platform for submitting and receiving documents anonymously
Interview
- Introductions
- How did you get introduced to Python?
- Can you start by describing what SecureDrop is and how it got started?
- How did you get involved in the project?
- Can you give some background on where and why it is useful?
- For someone using a running instance, what does their workflow look like?
- What are some of the ways that you minimize user experience hurdles to prevent them from circumventing the security through laziness or apathy?
- I was a bit surprised to see the references to the messaging system that is included. Why is that an important feature?
- What form do the submissions generally take and what are the limits on formats that you can accept?
- How is the system itself architected and how has the design evolved since the first implementation?
- In terms of the security protocols and technologies that are implemented, what factors are you considering as you develop the project?
- What are the weak points or edge cases that could lead to compromise and how do you guard against them?
- In terms of the deployment and maintenance of a SecureDrop instance, how much technological sophistication is necessary for the organization running it, and how much effort do you put into simplifying it?
- What are some of the notable uses of a SecureDrop deployment and what motivates you to continue working on it?
- What are the most interesting/innovative/unexpected uses of SecureDrop that you have seen?
- How do you approach the sustainability of the platform?
- What have you found most challenging/interested/unexpected in your work on SecureDrop?
- What is in store for the future of the project?
Keep In Touch
- Jen
- @redshiftzero on Twitter
- redshiftzero on GitHub
- Blog
- Kushal
- Website
- @kushaldas on Twitter
- kushaldas on GitHub
Picks
- Tobias
- Kushal
- Permanent Record by Edward Snowden
- Jen
- Permanent Record by Edward Snowden
Closing Announcements
- Thank you for listening! Don’t forget to check out our other show, the Data Engineering Podcast for the latest on modern data management.
- Visit the site to subscribe to the show, sign up for the mailing list, and read the show notes.
- If you’ve learned something or tried out a project from the show then tell us about it! Email hosts@podcastinit.com) with your story.
- To help other people find the show please leave a review on iTunes and tell your friends and co-workers
- Join the community in the new Zulip chat workspace at pythonpodcast.com/chat
Links
- SecureDrop
- Aaron Swartz
- Freedom Of The Press Foundation
- SecureDrop Directory
- TOR Browser
- TOR == The Onion Router
- Tails OS
- Ubuntu
- IDS == Intrusion Detection System
- Ansible
- DEF CON
- Mozilla Open Source Support (MOSS)
- Testinfra
- Flask
- Molecule unit test library for Ansible
- Bandit
- Safety
- Qubes OS
- Qt
The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA
[00:00:12]
Unknown:
Hello, and welcome to podcast dot in it, the podcast about Python and the people who make it great. When you're ready to launch your next app or want to try a project you hear about on the show, you'll need somewhere to deploy it. So take a look at our friends over at Linode. With 200 gigabit private networking, scalable shared block storage, node balancers, and a 40 gigabit public network, all controlled by a brand new API, you've got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models and running your continuous integration, they just launched dedicated CPU instances. Go to python podcast.com/linode, that's l I n o d e, today to get a $20 credit and launch a new server in under a minute. And don't forget to thank them for their continued support of this show.
And you listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers, you don't want to miss out on this year's conference season. We have partnered with organizations such as O'Reilly Media, Dataversity, Corinium Global Intelligence, and Data Council. Upcoming events include the O'Reilly AI Conference, the Strata Data Conference, the combined events of the Data Architecture Summit in Graphorum, and Data Council in Barcelona. Go to python podcast.com/conferences today to learn more about these and other events and take advantage of our partner discounts when you register. Your host as usual is Tobias Macy. And today, I'm interviewing Jen Halsby and Kushal Das about SecureDrop, a secure platform for submitting and receiving documents anonymously.
So, Jen, can you start by introducing yourself?
[00:01:47] Unknown:
Sure. My name is Jen Halsby, and I'm the lead developer of SecureDrop. And Kushal, can you introduce yourself?
[00:01:53] Unknown:
Hi. I'm also a maintainer of SecureDrop, and I'm part of various other projects, including as, like, Python code developer. And we both Jen and me, we we both are part of of the TAR project also. And Jen, do you remember how you first got introduced to Python? Yeah. I started using Python when I was in graduate school. I did a PhD in astrophysics, and so I started using Python for data analysis. This is some years ago. And Kushal, how about you? Do you remember how you first got introduced to Python? Yeah. I mean, I saw Python back in college days, but, like, in 2005, someone told me that I can try to write applications for my Nokia phones using Python. Sadly, I had a different version of Nokia, which series 90, which never had Python. But, yeah, that's how I got into it. And so can you start by describing a bit about what the secure project is and how it got started and how you each got involved with it? Yeah. Totally. SecureDrop's an anonymous whistleblowering platform that was first created
[00:02:46] Unknown:
by, Aaron Swartz, Kevin Paulson, and James Dolan around 2012. And that was around the time that WikiLeaks was in its heyday, and they had this submission system, and they were getting interesting documents through it. And so the idea was to create an open source project that would be something similar that major news organizations could use, to, also get documents while protecting the identity of sources. And so it's not really a new idea because news organizations have had, like, anonymous tip lines for some time. But doing it in today's kind of surveillance landscape is the challenge. And I got involved, like, 3 years ago. I had installed SecureDrop and thought it was a a great project, and so I started working on it. I think
[00:03:28] Unknown:
my interest center project was in a different way. I saw it, like, from the PACE Foundation and SecureDrop, from a distance all the time. And back in 2017, I was actually wondering if I should drop an email to saying, like, hey. If I can work on the project full time. And I was not being able to do so till the time my wife and Visha actually pushed me, like, just write to them and see what happens. And, that changed many things in life, And I'm happily working on the project. And so can you give a bit of background as to some of the wheres and whys of when the SecureDrop project is useful? Yeah. Totally.
[00:04:02] Unknown:
So there are a lot of, people that might wanna share information with a news organization, but might fear what is what will happen to them if they are identified as the person who shared the information. So they might be fired or, in more kind of extreme situations, they might even be, potentially charged with a crime or worse. And generally, reporters, at least in the US, will refuse to provide a source's identity when asked by the government. And so the general problem is that, you know, in today's world, all communications are mediated by third parties. And now the government doesn't need to ask a journalist who's the identity of your source. They can just go to a third party and ask them. And so, we started seeing this happen, a lot more during the Obama administration where the government would get a court order to acquire the telephone records of a journalist in order to identify the source that happened with, the Associated Press, for example, under Obama and happens even more, under Trump, unfortunately.
And so that's, the situation where if an organization thinks they're going to get sources of that type, then using providing SecureDrop along with other channels is a a good idea.
[00:05:11] Unknown:
Yeah. Given the fact that a lot of the sort of original ways that journalism was done was much more face to face. It was possible to be able to shield your sources because you didn't have those electronic trails for be for people to be able to follow and, uncover who might have been released a particular document. But with the global nature of communication and the fact that a lot more people will be collaborating over larger distances, it increases the availability and access to that information. But as you said, it increases the potential risk. So it's definitely good that there are platforms such as SecureDrop available to help ensure that there is the availability of that information without necessarily putting people at risk in the process of providing it. Yeah. Absolutely. Even, like, meeting physically in the modern age, sometimes people are like, okay. Well, I won't call them on the phone, but then I'll meet them physically. And that's still, you know, in a city, certainly produces a significant amount of data because the CCTV camera's everywhere, facial recognition, and that's something that, depending on the the adversary you're concerned about could be used to identify you. So, yes, quite a hard problem. So for somebody who is running an instance of SecureDrop and somebody who wants to submit some information to that organization, what is the overall workflow look like for the person who is submitting either in terms of just discovering the availability of it in the 1st place and then actually providing the information, and then on the receiving end, the actions required to actually
[00:06:35] Unknown:
retrieve that information and make use of it? Yeah. I mean, I can talk from the source point of view, and then, Jen can explain what, happens in that, like, from via other via other medium, like their normal news website. Some physical newspapers also print it in the physical copy. And, we also have a, like, a directory where we have verified URLs from different organizations, like, we're running SecureDrop. So a source can identify from many of these cases or 1 particular case we saw, like, 1 organization actually put their URL in a billboard in front of another large organization. So, when a source sees this and, like, if they try to read a little bit more about you, about the how they can submit, All of these websites generally also give some sort of bare bare minimal, like, steps for the sources, how they can actually use, Tails operating system in a like, go to a different network, like a cafe or somewhere. Like, don't try to do anything from your office network, and they will open up, using Tor Browser on Tails. They can open up the instance and just click and log into the box and submit any documents, or they can ask any questions or send some sort of messages. And this, from the source point of view, they do not get username, password, or anything details. They just get 1 big, DICEware generated password, which they have to just remember for next time use. Jen, you wanna go ahead for the journalist? Once the source is uploaded either documents or messages,
[00:08:10] Unknown:
to a Secured Ops server, then the journalist will come along, and they will access a another web application, that is separate from the web application that sources are using, again, using Tor Browser. And they will download those, documents, whatever they're interested in. And then they will transfer those documents across an air gap. So they will transfer it to a machine that's never been connected to the Internet and is not currently Internet connected using, some, storage device like USB drives or CDs. So they take these documents across, and that is where they decrypt and read those documents on an air gap machine, which we call the secure viewing station. And so that's the only place where documents can be decrypted. So at that point, they'll either decide to respond to a source, in which case, they need to go back to an online machine and send messages back to, that source. You can then log in again and read them, or they will transfer those documents that they've decrypted to, another workstation in the, newsroom or print them out such that they can take them to their editor or whatever their workflow is after that point. So it's kind of a bit laborious having to traverse this air gap, but the main concern that motivates that design is, it's 1 of those scenarios where you're just random people on the Internet to submit you files of any type, and then the journalist is going to open those files. And so the concern is, what if the file contains malware? And so we wanna keep that compartmented from the rest of the system. And because of the fact that there is the potential for malware, I'm wondering
[00:09:44] Unknown:
what any sort of best practice or standard operating procedure is in terms of the air gapped computer as far as ensuring that it is up to date with its, security benefit up to date with its security updates and, has some sort of active protection to prevent any sort of malware from correcting the rest of the machine or I mean, given the fact that it's air gapped, there's less of a, sort of blast radius where you don't have to worry about it escaping from there. But I'm wondering if there's any sort of potential compromise as far as other information on the machine that might get destroyed in the process of opening some of those files or just making sure that the overall security of that system is up to date as well given that it's not connected to the Internet. Yeah. I mean, it's 1 of the main challenges with with an air gap is it's not gonna be getting automatic security updates, and so people do need to manually update, the air gap. The main concern right now with this air gap system is if an attacker can get code execution, it is the same place where the private key is stored. And so we still don't want to,
[00:10:45] Unknown:
allow that to happen. If they do get code execution, all of the physical devices that could be used to exfil data are removed. So for example, the network cards are removed, the mics are removed, etcetera. So it's even if you can get a foothold, it's hard to get data off the system. Oh, I was saying, like, we also use tails in both the generalist,
[00:11:09] Unknown:
workstation and also the SVS, the secure the real station. So it Tails also provides some sort of, like, support as a air gap system here. Well, it has this amnesiac property, which is why we use it.
[00:11:23] Unknown:
So almost everything on the system will be destroyed when you reboot it. So there's just 1 directory that stays that persists, and everything else is, destroyed. So that's a real advantage in the case of malware potentially getting a foothold on the secure viewing station.
[00:11:41] Unknown:
And as you mentioned, some of the overall workflow, particularly on the receiving side, is a bit laborious. And then also on the person who's submitting the information, as you said, there is the potential for responding back to them, but it requires them to actively go back and log in with that randomly generated password to be able to see if there are any return messages without any way of being notified of their presence. So I'm curious if there's any sort of common workflow that people use to try and reduce any sort of, latency or barrier as far as the return communication to maintain some sort of a dialogue or if the, sort of document submission can serve as the riskiest piece of business and then the rest of the communication can happen in somewhat of a more convenient form factor?
[00:12:28] Unknown:
So there are people that just come to Securedrop, dump documents, and never return. And then there are people that have these more extended interactions. Like, there are people that only talk through a secure job and have, like, long running relationships with journalists. The the truth is that we don't know too much about individual news organizations. So we should have said that we just write the software, and then news organizations install it and operate it themselves. So we can't SSH into anybody's secured. Well, it's all managed by administrators at each individual organization. And, you know, as a project, we don't want to know too much. I mean, we need to know some about what users are doing in order to design the system, but we don't wanna know too much because it's obviously very sensitive, and that makes us a place where you could go to gather information about these common workflows and potentially use that to attack a news organization.
[00:13:23] Unknown:
And also in terms of just the overall user experience, having too many sort of, difficult steps or too much inconvenience in the process can often lead people to just short circuit the security and take shortcuts that will prevent the overall effectiveness of the system. And I'm wondering how you approach that user experience
[00:13:51] Unknown:
sort of prevents people or encourages people not to take those shortcuts that might compromise it. Kind of hard for the journalist to actually use any other system than the properly set, journalist work station to access the secure drop instance. And, the final, like, even if, the generic workstations, like, journalists can download any kind of submission, they cannot view it till they actually move it to a particular air gapped, secure viewing station. So even if they want, there is no such simple way to, like, you know, bypass the security. The way it is designed, it's difficult and it's become such a, like, a difficult level, which is not easily can be bypassed to make that whole flow easy right now. Yeah. They would need to know how to, like, export private keys and stuff like that to circumvent the security. And we also do trainings at those places, most of those places where they take help from us about installing SecureDrop and things. So, like, Freedom of the Press Foundations, the digital security team, they not only teach about how to use SecureDrop and make it into other massive memory. They also help to learn about digital security 101 and more details so that the overall digital the security hygiene the digital hygiene is better for the journalist.
[00:15:04] Unknown:
And going back to the messaging system, because of the fact that this is at least at face value more of a 1 way relationship where somebody will submit documents to the news organization. I'm curious why you feel that the return messaging and being able to have that be a
[00:15:21] Unknown:
communications channel is important to the overall workflow and utility of the system. Yeah. 1 of the challenges with a system like this is that the source journalist relationship is a a human 1, and so it can be hard to develop that, rapport without having some kind of back and forth. So it might take some time before a gen before a source is comfortable sharing something, until they know that it's gonna be handled properly and that they're kind of gonna be safe. And so you could imagine that that's 1 of the uses of the messaging system. And a journalist might have follow-up questions. They might need clarification on what a document needs if it's particularly technical in nature, or they might kind of need a pointer to where they can find out more. And so that kind of back and forth is what the messaging system is most useful for. And then, also, as far as the types of submissions, I'm curious what form they generally take, whether they're PDF documents typically
[00:16:18] Unknown:
or if they're, sort of zip archives, just the sort of general volume and scope and, sort of format support that's necessary for ensuring that you're able to access that information on the secure work station, the air gapped work station once you've retrieved it? There is a file size limitation, like, 500 MB that is, like, to start with. Then for as far as the file types are concerned, there is no limitation.
[00:16:43] Unknown:
Sources can submit any kind of document. And, depending on the and, depending on that, like, how the journalists want to view those documents in future, like, after they decrypted it on the secure, workstation, they may want to move it out to some other system, like like some other fancy system maybe, which will be able to play that video or document and watch the document somehow. Yeah. Generally, what we try to have good support for in terms of, like, opening documents
[00:17:09] Unknown:
is, like, office kind of documents, PDFs, most common, audio and video formats. That's what you can open on a tails machine. And I think, you know, like, if you get a a SQL database dump or something like that, that would need to be taken to either another machine, or you would need the news organization would need to ferry, like, a dev that can open that file nicely, onto the air gap workstation.
[00:17:34] Unknown:
And then in terms of the overall system architecture, I'm wondering if you can talk through how it's designed and how it's deployed and some of the reasoning behind using Python as the implementation language.
[00:17:46] Unknown:
Sure. Yeah. So the way that it's architected right now is, every news organization installs 2 servers. So they're both run Ubuntu server, and 1 server is an application server. So that hosts 2 web applications. 1 that's used by the sources to submit the documents as previously described, and 1 that's used by journalists to access documents. So that's the first server, which we call the application server. And then the second server is a monitoring server that runs a host based IDS that just monitors the application server and then sends alerts for potentially suspicious activity to administrators.
Administrators here being the person at the news organization who's charged with keeping the SecureDrop and running order. And then we have a, network firewall that separates the SecureDrop area of the network from the rest of the network in case, there's a compromise of their news organization network or a compromise of the secure network just to keep things separated. And all of that is, hosted on prem at a news organization. So it might be in their data center or it might be, you know, in some cases, like the editor's office or the And that is done primarily to protect sources and make sure that they do come in through Tor. And then admins can either use Tor or they can just use regular, LAN to administer the servers.
And then also a new news organization needs to have a online journalist workstation that the journalist can use to download documents and then this secure viewing station that is air gap just described earlier. In terms of using Python, we want to generally pick technologies that are widely used and established and easy to maintain. And we, you know, really do get an advantage of using Python. So we use that for the 2 web applications and for, a CLI that administrators use, to administer the system. And given that the organizations
[00:19:52] Unknown:
that are running these instances don't necessarily have a lot of technical staff, particularly in the case of independent news organizations that might be fairly small. I'm wondering how you approach the overall system design to reduce the maintenance burden on those organizations and ensure that they're able to keep it up to date and appropriately secure so that it fulfills its original intent. So, like, what the actual administrator see is, 1 or 2 single like, couple of basically, a couple of small commands. And,
[00:20:23] Unknown:
as Jen mentioned, those are written in Python, but, what those commands actually do is that they fire up a set of Ansible playbook like, playbooks. And those playbooks make sure that the servers are in the correct state, like the IPW rules, the like, what all softwares to be installed, what kind of kernel it should run. All details for all of those servers are exactly the same, and that we can only achieve, via using these Ansible runs. And, that also helps to make sure that even if the administrator doesn't know much about Linux systems, they can just type this 1 single command, which will make sure that the servers are in the latest good set the way it should be. And as far as the overall security protocols and technologies that you're using,
[00:21:05] Unknown:
what are some of the main factors that you're considering as you develop the project? And any weak points or edge cases that you are aware of and that you try to guard against that could potentially lead to a compromise?
[00:21:17] Unknown:
Yeah. So, generally, as I said earlier, we try to use, widely used and established tools. So example, if we add a dependency, we wanna make sure that it's very commonly used, and we will you know, when we make an update to that dependency, we'll review the changes. So we do things like that. In terms of just general architecting for the project, we do threat modeling to analyze the functionality the potential threats. And then when we're deciding what mitigations to apply, we go back to our threat model. So we have a document that's internal that contains every potential, threat to the system, and then we try to rank all those threats to determine how to allocate engineering efforts, such that we don't spend time, mitigating threats that are, either low impact or very hard to actually execute as an adversary.
In terms of weak points and edge cases, probably the biggest challenge right now is just there are limits to what, I know any technical tool can do. So there's cases where sources can be identified. And, you know, unfortunately, we have seen this, not necessarily, people that use Secured Rob, but people that try to share information with news organizations, operational security failures. You know, if you're using a tool like SecureUp, and then you also email a news organization direct, those kind of situation. Or if you're in a news organize if you're in a, organization as a leaker and you're sharing a document that only a few people have access to and access to the document is logged, That's another really challenging problem that we can't really engineer around. And so those are the biggest threats that face potential sources right now. And I think, you know, certain organizations realize, that just having really good logging and then alerting internally can potentially mean that as soon as somebody plugs in a USB drive, you can flag it. So that is probably the biggest issue.
[00:23:09] Unknown:
And as far as the overall development of the platform, what have been some of the most interesting or unexpected or challenging aspects in your experience of working on it and maintaining it and interacting with users? This for the development or, like, use cases or things we found interesting? Yeah. So for now, mainly just focusing on the actual development
[00:23:29] Unknown:
and maintenance of the project, and then we'll talk about some of the interesting use cases after. I think for me, like, what I always find really challenging is that we are trying to secure systems where we do not have any access. Like, all these SecureDrop instances, servers, they're running inside, the organizations who are running them. And we as developers, like, have 0 access to those. So somehow, we have to make sure that those systems get updated and stays as secure as it should they should be. That's 1 of the biggest 1 in my mind. Yeah, Jane. Yeah. That's an ongoing challenge, especially because we're supporting,
[00:24:04] Unknown:
like, we have contracts with some news organizations to help support the instance. And then another issue is just designing a system while trying to intentionally not know too much about, how it is used.
[00:24:17] Unknown:
That's a kind of an ongoing issue. And as far as any sort of interesting or unexpected uses of SecureDrop or notable cases where it has proven beneficial, I'm wondering if there are any stories that you can share on that front. There's a recent case where we,
[00:24:33] Unknown:
or it was announced at Defcon this month, beginning of this month, that, apparently, the US federal government is going to use, SecureDrop in order to get security vulnerabilities. So this the the reason why they wanna secure up in that case is potential security researchers are concerned about retribution. And so if they could submit through SecureDrop, they could make sure that whatever agency is aware of the vulnerability and fix it, without them being identified.
[00:25:02] Unknown:
And there is the other story, which is about, like, someone wrote an anti diversity memo at Google, and it got leaked multiple times, multiple versions via secure drop to the agents, different organizations, which was a big news all across. Yeah. That 1 definitely took
[00:25:19] Unknown:
a while for people to get around it, and there was a lot of conversation and consternation on all sides of that conversation. And then in terms of the overall sustainability of the platform and the project, how do you approach any sort of required funding and man making sure sure that you have an appropriate level of staffing on the development side, and then also the overall process for user feedback to ensure that you're incorporating new features or system improvements that make sure that everybody who's using SecureDrop are getting the benefit that they want? Yeah. Totally. So
[00:25:54] Unknown:
in terms of sustainability of the project, SecureDrop has been really fortunate that the project is supported by Freedom of the Press Foundation. So, Kushal and I are both employed by Freedom of the Press Foundation. They took the project over, after Aaron Swartz, unfortunately, passed away, I believe, in 2012. And so, FPF, which is short for Freedom of the Press Foundation, has supported development for, several years since then. We've also been fortunate to get funding from, Mozilla open source support, which, supports a bunch of Internet freedom projects like Tor as well. And so thanks to their support and other, kind of grant based funding and small donors that donate to FPF, we've been able to keep, the project maintained.
In terms of user feedback, we get user feedback either through just our bug tracker like other projects. We have, like, a private support portal, that organizations that install SecureDrop can use to file tickets if there's an issue or if there's something that they want changed. And then we also do surveys and user testing, and we do reach out privately
[00:27:10] Unknown:
means for circumventing surveillance. I'm wondering if there have been any cases where you've had to deal with any sort of pushback from either governments or other organizations that are either trying to shut the project down or have some sort of influence over it. Not that I know about anything.
[00:27:29] Unknown:
Yeah. Yeah. I'm not aware of anything like that either. I mean, I think we have at least, we both started working on the project when it had already kind of become pretty mainstreamed, and a lot of big news organizations like New York Times, etcetera, were using it. And so I think it would be pretty controversial if, you know, a government agency were to kind of publicly go after SecureDrop,
[00:27:52] Unknown:
the project at this stage. And then in terms of the overall system maintenance, you mentioned that you have the Ansible playbooks that allow users to get it deployed. I'm curious how you publicize to the different agencies that there's a new release CVE or vulnerability that's present on the system to ensure that they're running the latest versions, particularly if you have any dependencies that have some sort of CVE or vulnerability that's present on the system to ensure that they stay up to date, and then particularly for long running instances, how you help them with any sort of system upgrades of the underlying operating system.
[00:28:30] Unknown:
So, like, all Secured of servers by default, they get, like, any security updates that comes out, from the Ubuntu as an operating system. And then, we also, like, if there is any changes from us or new version or new bug fix version, those will also get pulled into the servers and, deployed without any, like, intervention from the system administrators. So and, those servers regularly get rebooted every day, based on the time the sysadmins, decided. And so that and we do a lot of QA on those, updates to make sure that those updates can pull in any other actual security updates or any other kind of dependencies which required to be there. And as far as the operating system updates, like, we, did 1 recently. We moved out of trustee into Xennial, Ubuntu.
And for that, we actually, like, worked a lot on the messaging and making sure the administration, administrators get the proper steps and, like, help documents and everything so that they can, go through the certain steps to make sure that the transition happens without any hiccups. So, like, those all of those things together helps the systems to be updated. And then also as far as testing and verification, I'm wondering what that QA process looks like to ensure that you're not introducing bugs or potential regressions security vulnerabilities into the platform as you're preparing a release? SecureDrop is a free software project and, the source code, the bug, the bug trackers and everything is public. And you can, like, actually anyone wants to go and check, they will find the issues file for each of the release where we have a huge amount of, like, QA steps. Like, each and every parts of the project, we manually verify. And then, as far as, like, if you ask me as a developer, this is 1 of the best tested project as I have seen in my life as far as that, like, integration test cases, the kind of unit test cases we have in the project. And, like, for any kind of feature to go in, it actually gets verified by multiple reviewers.
And then all like we all like continuously running and executing those scripts and like the actual server to make sure that the server behaves the way it should. And, we have, like, 2 weeks of Yeah. Before every release. No. I was gonna say the exact same thing that we do a freeze 2 weeks before release,
[00:30:57] Unknown:
in order to test everything, and make sure that, you know, even though every new feature has test coverage, we still wanna test things manually, because some parts of the architecture are difficult to have automated tests for. So we have, like, tests for the web application. We have tests for the system state, using test infra. But for example, the full workflow of installing from Tails, the 2 servers, that's not fully tested. And so we do do that each,
[00:31:27] Unknown:
regular release. And multiple times. As far as your overall experience for each of you individually in on the project, what have been some of the most interesting or unexpected or useful lessons that you've learned in the process? Like, I think Jane also already mentioned, 1 of the things is that supporting,
[00:31:44] Unknown:
any project, where we do not have any kind of access, that was kind of difficult. And, like, may building a system which is which will be used by people who are not always so much into Linux or, like, friendly to the, our our in sense, like, the developer's way of life. So any building any system for users, keeping those users in mind is always a challenge.
[00:32:08] Unknown:
I guess for me, like, making sure, you know, for any system that has a large number of potential threats, making sure that time is being spent on the kind of lowest hanging fruit in a in a more rigorous way like we've done with the threat modeling process I described earlier is is so valuable because it's kind of like security nerds. Sometimes we wanna focus on, like, the most interesting, attacks that we can think of, and it it can be tempting to get drawn into those. But kind of having a more rigorous approach to, okay, the easiest thing that I an attacker could do is x. Like, let's make sure that we reduce the risk of this and come up with the mitigation is really valuable. And I haven't really seen too many projects of this type publicly present that information, kind of how they went about the threat modeling process, it would be cool to see that. We've shared some of our threat modeling, documentation in our public docs at docssecuredrop.org.
[00:33:00] Unknown:
And as far as any particular packages or libraries
[00:33:05] Unknown:
that have been most useful in the process of building SecureDrop. I'm wondering if there are any that are notable that you'd like to call out. The web application is Flask, and we also already mentioned Ansible. That's another application, like, huge application, and we use Molekule for our test and testing for testing part. And then, a Tor project is obviously the 1 of the biggest thing of the whole project, Tor and Tor and Tails. Jen? Yeah. For security automation, a project that we use, which is really great is Bandit,
[00:33:32] Unknown:
to do static analysis, which we run-in c I, Bandit and safety, so that we can, get, what we can fail c I when a c v is found in 1 of our dependencies. And if other issues are introduced in a PR, just reduces the amount of manual review. It's really great to in you know, easy to integrate and, probably useful for any project, not just 1 that's security sensitive. In terms of the future of the project, what are some of the new features or improvements
[00:33:58] Unknown:
or just overall work and effort that you have in store in the near to medium term, and any help that you are looking for from the community to improve it or add new capabilities.
[00:34:10] Unknown:
Sure. So I guess 1 of the challenges right now is that we've made it pretty easy for sources to share documents with journalists. They just need to download top browser and go to a website, basically. But a lot of that complexity has been offloaded to the journalist side, as, you know, it's described earlier with this kind of, clunky workflow. And so 1 of the things we've been working on is making it easier for journalists to check secure drops. So then instead of it taking maybe 30 minutes, it maybe could only take 5 minutes. And so we've been working on a project, for journalists, a workstation that combines the currently 2 separate work stations. So right now, we have this online workstation that's connected to the Internet that they used to download the documents. And then we have a separate workstation that's air gaps, that they used to read the documents.
And so we've been experimenting using cubes, which is a great project, and you should all check it out, which is basically a zen distribution where everything is running inside a VM. And so they also have this concept called disposable VMs, which is kind of perfect for a secured route because it's, the kind of situation where you could open a potentially malicious submission in this disposable VM. If it gets popped, it's fine. It's compartmentalized in the VM, modulo, Zen escapes, and then it's destroyed after years. And so we've been experimenting kind of architecting a kind of inter VM pipeline that would download documents, pass them to a VM that's running a nice GUI for the user. And then when the user clicks a button open document, it opens in this disposable VM. So that's, all the code for that is public on, our GitHub org freedom of press. And so if you're interested in helping out, probably the easiest place for people to get involved would be this GUI that I described, which is, written in Python. It's cute, and there's a lot of active development on that right now. Are there any other aspects
[00:36:04] Unknown:
of the secure drop project or the use cases that it enables that we didn't discuss yet that you'd like to cover before we close out the show? I don't think so. But if you are maybe interested in learning about the organizations,
[00:36:17] Unknown:
that if you have information you would wanna share, you should download Tor Browser and then go to securedrop.org/directory
[00:36:25] Unknown:
to get a list of, many of them. Alright. Well, for anybody who wants to get in touch with either of you or follow along with the work that you're doing, I'll have you each add your preferred contact information to the show notes. And so with that, I'll move us into the picks. And this week, I'm going to choose laser tag because I got to hang out with my kids yesterday and some of their friends and our friends, and we all had a lot of fun playing laser tag together. So it's not something I've really done in the past, but, turned out to be quite enjoyable. So if you're looking for something to get up and move around and have fun doing it, it's worth taking a look at that. And with that, I'll pass it to you, Kushal. Do you have any picks this week?
[00:37:03] Unknown:
Oh, I'm actually waiting for not not for this week, but within few weeks. Like, Edward Snowden's, book is coming out, so I'm just waiting for that. Alright. And Jen, do you have any picks this week? Do I have any picks?
[00:37:16] Unknown:
I'm wracking my brain. I don't know that I do, but I will definitely check out Edward Snowden's book released September 17th.
[00:37:23] Unknown:
Alright. Well, thank you both for taking the time today to join me and discuss your work on SecureDrop. It's definitely an interesting project and an interesting problem space. So I appreciate your efforts on that, and I hope you enjoy I hope you each enjoy the rest of your day. Thank you. Thanks, Tobias. Thank you for listening. Don't forget to check out our other show, the data engineering podcast at dataengineeringpodcast.com for the latest on modern data management. And visit the site of pythonpodcast.com to subscribe to the show, sign up for the mailing list, and read the show notes.
And if you've learned something or tried out a project from the show, then tell us about it. Email host at podcastinit.com with your story. To help other people find the show, please leave a review on Itunes and tell your friends and coworkers.
Hello, and welcome to podcast dot in it, the podcast about Python and the people who make it great. When you're ready to launch your next app or want to try a project you hear about on the show, you'll need somewhere to deploy it. So take a look at our friends over at Linode. With 200 gigabit private networking, scalable shared block storage, node balancers, and a 40 gigabit public network, all controlled by a brand new API, you've got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models and running your continuous integration, they just launched dedicated CPU instances. Go to python podcast.com/linode, that's l I n o d e, today to get a $20 credit and launch a new server in under a minute. And don't forget to thank them for their continued support of this show.
And you listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers, you don't want to miss out on this year's conference season. We have partnered with organizations such as O'Reilly Media, Dataversity, Corinium Global Intelligence, and Data Council. Upcoming events include the O'Reilly AI Conference, the Strata Data Conference, the combined events of the Data Architecture Summit in Graphorum, and Data Council in Barcelona. Go to python podcast.com/conferences today to learn more about these and other events and take advantage of our partner discounts when you register. Your host as usual is Tobias Macy. And today, I'm interviewing Jen Halsby and Kushal Das about SecureDrop, a secure platform for submitting and receiving documents anonymously.
So, Jen, can you start by introducing yourself?
[00:01:47] Unknown:
Sure. My name is Jen Halsby, and I'm the lead developer of SecureDrop. And Kushal, can you introduce yourself?
[00:01:53] Unknown:
Hi. I'm also a maintainer of SecureDrop, and I'm part of various other projects, including as, like, Python code developer. And we both Jen and me, we we both are part of of the TAR project also. And Jen, do you remember how you first got introduced to Python? Yeah. I started using Python when I was in graduate school. I did a PhD in astrophysics, and so I started using Python for data analysis. This is some years ago. And Kushal, how about you? Do you remember how you first got introduced to Python? Yeah. I mean, I saw Python back in college days, but, like, in 2005, someone told me that I can try to write applications for my Nokia phones using Python. Sadly, I had a different version of Nokia, which series 90, which never had Python. But, yeah, that's how I got into it. And so can you start by describing a bit about what the secure project is and how it got started and how you each got involved with it? Yeah. Totally. SecureDrop's an anonymous whistleblowering platform that was first created
[00:02:46] Unknown:
by, Aaron Swartz, Kevin Paulson, and James Dolan around 2012. And that was around the time that WikiLeaks was in its heyday, and they had this submission system, and they were getting interesting documents through it. And so the idea was to create an open source project that would be something similar that major news organizations could use, to, also get documents while protecting the identity of sources. And so it's not really a new idea because news organizations have had, like, anonymous tip lines for some time. But doing it in today's kind of surveillance landscape is the challenge. And I got involved, like, 3 years ago. I had installed SecureDrop and thought it was a a great project, and so I started working on it. I think
[00:03:28] Unknown:
my interest center project was in a different way. I saw it, like, from the PACE Foundation and SecureDrop, from a distance all the time. And back in 2017, I was actually wondering if I should drop an email to saying, like, hey. If I can work on the project full time. And I was not being able to do so till the time my wife and Visha actually pushed me, like, just write to them and see what happens. And, that changed many things in life, And I'm happily working on the project. And so can you give a bit of background as to some of the wheres and whys of when the SecureDrop project is useful? Yeah. Totally.
[00:04:02] Unknown:
So there are a lot of, people that might wanna share information with a news organization, but might fear what is what will happen to them if they are identified as the person who shared the information. So they might be fired or, in more kind of extreme situations, they might even be, potentially charged with a crime or worse. And generally, reporters, at least in the US, will refuse to provide a source's identity when asked by the government. And so the general problem is that, you know, in today's world, all communications are mediated by third parties. And now the government doesn't need to ask a journalist who's the identity of your source. They can just go to a third party and ask them. And so, we started seeing this happen, a lot more during the Obama administration where the government would get a court order to acquire the telephone records of a journalist in order to identify the source that happened with, the Associated Press, for example, under Obama and happens even more, under Trump, unfortunately.
And so that's, the situation where if an organization thinks they're going to get sources of that type, then using providing SecureDrop along with other channels is a a good idea.
[00:05:11] Unknown:
Yeah. Given the fact that a lot of the sort of original ways that journalism was done was much more face to face. It was possible to be able to shield your sources because you didn't have those electronic trails for be for people to be able to follow and, uncover who might have been released a particular document. But with the global nature of communication and the fact that a lot more people will be collaborating over larger distances, it increases the availability and access to that information. But as you said, it increases the potential risk. So it's definitely good that there are platforms such as SecureDrop available to help ensure that there is the availability of that information without necessarily putting people at risk in the process of providing it. Yeah. Absolutely. Even, like, meeting physically in the modern age, sometimes people are like, okay. Well, I won't call them on the phone, but then I'll meet them physically. And that's still, you know, in a city, certainly produces a significant amount of data because the CCTV camera's everywhere, facial recognition, and that's something that, depending on the the adversary you're concerned about could be used to identify you. So, yes, quite a hard problem. So for somebody who is running an instance of SecureDrop and somebody who wants to submit some information to that organization, what is the overall workflow look like for the person who is submitting either in terms of just discovering the availability of it in the 1st place and then actually providing the information, and then on the receiving end, the actions required to actually
[00:06:35] Unknown:
retrieve that information and make use of it? Yeah. I mean, I can talk from the source point of view, and then, Jen can explain what, happens in that, like, from via other via other medium, like their normal news website. Some physical newspapers also print it in the physical copy. And, we also have a, like, a directory where we have verified URLs from different organizations, like, we're running SecureDrop. So a source can identify from many of these cases or 1 particular case we saw, like, 1 organization actually put their URL in a billboard in front of another large organization. So, when a source sees this and, like, if they try to read a little bit more about you, about the how they can submit, All of these websites generally also give some sort of bare bare minimal, like, steps for the sources, how they can actually use, Tails operating system in a like, go to a different network, like a cafe or somewhere. Like, don't try to do anything from your office network, and they will open up, using Tor Browser on Tails. They can open up the instance and just click and log into the box and submit any documents, or they can ask any questions or send some sort of messages. And this, from the source point of view, they do not get username, password, or anything details. They just get 1 big, DICEware generated password, which they have to just remember for next time use. Jen, you wanna go ahead for the journalist? Once the source is uploaded either documents or messages,
[00:08:10] Unknown:
to a Secured Ops server, then the journalist will come along, and they will access a another web application, that is separate from the web application that sources are using, again, using Tor Browser. And they will download those, documents, whatever they're interested in. And then they will transfer those documents across an air gap. So they will transfer it to a machine that's never been connected to the Internet and is not currently Internet connected using, some, storage device like USB drives or CDs. So they take these documents across, and that is where they decrypt and read those documents on an air gap machine, which we call the secure viewing station. And so that's the only place where documents can be decrypted. So at that point, they'll either decide to respond to a source, in which case, they need to go back to an online machine and send messages back to, that source. You can then log in again and read them, or they will transfer those documents that they've decrypted to, another workstation in the, newsroom or print them out such that they can take them to their editor or whatever their workflow is after that point. So it's kind of a bit laborious having to traverse this air gap, but the main concern that motivates that design is, it's 1 of those scenarios where you're just random people on the Internet to submit you files of any type, and then the journalist is going to open those files. And so the concern is, what if the file contains malware? And so we wanna keep that compartmented from the rest of the system. And because of the fact that there is the potential for malware, I'm wondering
[00:09:44] Unknown:
what any sort of best practice or standard operating procedure is in terms of the air gapped computer as far as ensuring that it is up to date with its, security benefit up to date with its security updates and, has some sort of active protection to prevent any sort of malware from correcting the rest of the machine or I mean, given the fact that it's air gapped, there's less of a, sort of blast radius where you don't have to worry about it escaping from there. But I'm wondering if there's any sort of potential compromise as far as other information on the machine that might get destroyed in the process of opening some of those files or just making sure that the overall security of that system is up to date as well given that it's not connected to the Internet. Yeah. I mean, it's 1 of the main challenges with with an air gap is it's not gonna be getting automatic security updates, and so people do need to manually update, the air gap. The main concern right now with this air gap system is if an attacker can get code execution, it is the same place where the private key is stored. And so we still don't want to,
[00:10:45] Unknown:
allow that to happen. If they do get code execution, all of the physical devices that could be used to exfil data are removed. So for example, the network cards are removed, the mics are removed, etcetera. So it's even if you can get a foothold, it's hard to get data off the system. Oh, I was saying, like, we also use tails in both the generalist,
[00:11:09] Unknown:
workstation and also the SVS, the secure the real station. So it Tails also provides some sort of, like, support as a air gap system here. Well, it has this amnesiac property, which is why we use it.
[00:11:23] Unknown:
So almost everything on the system will be destroyed when you reboot it. So there's just 1 directory that stays that persists, and everything else is, destroyed. So that's a real advantage in the case of malware potentially getting a foothold on the secure viewing station.
[00:11:41] Unknown:
And as you mentioned, some of the overall workflow, particularly on the receiving side, is a bit laborious. And then also on the person who's submitting the information, as you said, there is the potential for responding back to them, but it requires them to actively go back and log in with that randomly generated password to be able to see if there are any return messages without any way of being notified of their presence. So I'm curious if there's any sort of common workflow that people use to try and reduce any sort of, latency or barrier as far as the return communication to maintain some sort of a dialogue or if the, sort of document submission can serve as the riskiest piece of business and then the rest of the communication can happen in somewhat of a more convenient form factor?
[00:12:28] Unknown:
So there are people that just come to Securedrop, dump documents, and never return. And then there are people that have these more extended interactions. Like, there are people that only talk through a secure job and have, like, long running relationships with journalists. The the truth is that we don't know too much about individual news organizations. So we should have said that we just write the software, and then news organizations install it and operate it themselves. So we can't SSH into anybody's secured. Well, it's all managed by administrators at each individual organization. And, you know, as a project, we don't want to know too much. I mean, we need to know some about what users are doing in order to design the system, but we don't wanna know too much because it's obviously very sensitive, and that makes us a place where you could go to gather information about these common workflows and potentially use that to attack a news organization.
[00:13:23] Unknown:
And also in terms of just the overall user experience, having too many sort of, difficult steps or too much inconvenience in the process can often lead people to just short circuit the security and take shortcuts that will prevent the overall effectiveness of the system. And I'm wondering how you approach that user experience
[00:13:51] Unknown:
sort of prevents people or encourages people not to take those shortcuts that might compromise it. Kind of hard for the journalist to actually use any other system than the properly set, journalist work station to access the secure drop instance. And, the final, like, even if, the generic workstations, like, journalists can download any kind of submission, they cannot view it till they actually move it to a particular air gapped, secure viewing station. So even if they want, there is no such simple way to, like, you know, bypass the security. The way it is designed, it's difficult and it's become such a, like, a difficult level, which is not easily can be bypassed to make that whole flow easy right now. Yeah. They would need to know how to, like, export private keys and stuff like that to circumvent the security. And we also do trainings at those places, most of those places where they take help from us about installing SecureDrop and things. So, like, Freedom of the Press Foundations, the digital security team, they not only teach about how to use SecureDrop and make it into other massive memory. They also help to learn about digital security 101 and more details so that the overall digital the security hygiene the digital hygiene is better for the journalist.
[00:15:04] Unknown:
And going back to the messaging system, because of the fact that this is at least at face value more of a 1 way relationship where somebody will submit documents to the news organization. I'm curious why you feel that the return messaging and being able to have that be a
[00:15:21] Unknown:
communications channel is important to the overall workflow and utility of the system. Yeah. 1 of the challenges with a system like this is that the source journalist relationship is a a human 1, and so it can be hard to develop that, rapport without having some kind of back and forth. So it might take some time before a gen before a source is comfortable sharing something, until they know that it's gonna be handled properly and that they're kind of gonna be safe. And so you could imagine that that's 1 of the uses of the messaging system. And a journalist might have follow-up questions. They might need clarification on what a document needs if it's particularly technical in nature, or they might kind of need a pointer to where they can find out more. And so that kind of back and forth is what the messaging system is most useful for. And then, also, as far as the types of submissions, I'm curious what form they generally take, whether they're PDF documents typically
[00:16:18] Unknown:
or if they're, sort of zip archives, just the sort of general volume and scope and, sort of format support that's necessary for ensuring that you're able to access that information on the secure work station, the air gapped work station once you've retrieved it? There is a file size limitation, like, 500 MB that is, like, to start with. Then for as far as the file types are concerned, there is no limitation.
[00:16:43] Unknown:
Sources can submit any kind of document. And, depending on the and, depending on that, like, how the journalists want to view those documents in future, like, after they decrypted it on the secure, workstation, they may want to move it out to some other system, like like some other fancy system maybe, which will be able to play that video or document and watch the document somehow. Yeah. Generally, what we try to have good support for in terms of, like, opening documents
[00:17:09] Unknown:
is, like, office kind of documents, PDFs, most common, audio and video formats. That's what you can open on a tails machine. And I think, you know, like, if you get a a SQL database dump or something like that, that would need to be taken to either another machine, or you would need the news organization would need to ferry, like, a dev that can open that file nicely, onto the air gap workstation.
[00:17:34] Unknown:
And then in terms of the overall system architecture, I'm wondering if you can talk through how it's designed and how it's deployed and some of the reasoning behind using Python as the implementation language.
[00:17:46] Unknown:
Sure. Yeah. So the way that it's architected right now is, every news organization installs 2 servers. So they're both run Ubuntu server, and 1 server is an application server. So that hosts 2 web applications. 1 that's used by the sources to submit the documents as previously described, and 1 that's used by journalists to access documents. So that's the first server, which we call the application server. And then the second server is a monitoring server that runs a host based IDS that just monitors the application server and then sends alerts for potentially suspicious activity to administrators.
Administrators here being the person at the news organization who's charged with keeping the SecureDrop and running order. And then we have a, network firewall that separates the SecureDrop area of the network from the rest of the network in case, there's a compromise of their news organization network or a compromise of the secure network just to keep things separated. And all of that is, hosted on prem at a news organization. So it might be in their data center or it might be, you know, in some cases, like the editor's office or the And that is done primarily to protect sources and make sure that they do come in through Tor. And then admins can either use Tor or they can just use regular, LAN to administer the servers.
And then also a new news organization needs to have a online journalist workstation that the journalist can use to download documents and then this secure viewing station that is air gap just described earlier. In terms of using Python, we want to generally pick technologies that are widely used and established and easy to maintain. And we, you know, really do get an advantage of using Python. So we use that for the 2 web applications and for, a CLI that administrators use, to administer the system. And given that the organizations
[00:19:52] Unknown:
that are running these instances don't necessarily have a lot of technical staff, particularly in the case of independent news organizations that might be fairly small. I'm wondering how you approach the overall system design to reduce the maintenance burden on those organizations and ensure that they're able to keep it up to date and appropriately secure so that it fulfills its original intent. So, like, what the actual administrator see is, 1 or 2 single like, couple of basically, a couple of small commands. And,
[00:20:23] Unknown:
as Jen mentioned, those are written in Python, but, what those commands actually do is that they fire up a set of Ansible playbook like, playbooks. And those playbooks make sure that the servers are in the correct state, like the IPW rules, the like, what all softwares to be installed, what kind of kernel it should run. All details for all of those servers are exactly the same, and that we can only achieve, via using these Ansible runs. And, that also helps to make sure that even if the administrator doesn't know much about Linux systems, they can just type this 1 single command, which will make sure that the servers are in the latest good set the way it should be. And as far as the overall security protocols and technologies that you're using,
[00:21:05] Unknown:
what are some of the main factors that you're considering as you develop the project? And any weak points or edge cases that you are aware of and that you try to guard against that could potentially lead to a compromise?
[00:21:17] Unknown:
Yeah. So, generally, as I said earlier, we try to use, widely used and established tools. So example, if we add a dependency, we wanna make sure that it's very commonly used, and we will you know, when we make an update to that dependency, we'll review the changes. So we do things like that. In terms of just general architecting for the project, we do threat modeling to analyze the functionality the potential threats. And then when we're deciding what mitigations to apply, we go back to our threat model. So we have a document that's internal that contains every potential, threat to the system, and then we try to rank all those threats to determine how to allocate engineering efforts, such that we don't spend time, mitigating threats that are, either low impact or very hard to actually execute as an adversary.
In terms of weak points and edge cases, probably the biggest challenge right now is just there are limits to what, I know any technical tool can do. So there's cases where sources can be identified. And, you know, unfortunately, we have seen this, not necessarily, people that use Secured Rob, but people that try to share information with news organizations, operational security failures. You know, if you're using a tool like SecureUp, and then you also email a news organization direct, those kind of situation. Or if you're in a news organize if you're in a, organization as a leaker and you're sharing a document that only a few people have access to and access to the document is logged, That's another really challenging problem that we can't really engineer around. And so those are the biggest threats that face potential sources right now. And I think, you know, certain organizations realize, that just having really good logging and then alerting internally can potentially mean that as soon as somebody plugs in a USB drive, you can flag it. So that is probably the biggest issue.
[00:23:09] Unknown:
And as far as the overall development of the platform, what have been some of the most interesting or unexpected or challenging aspects in your experience of working on it and maintaining it and interacting with users? This for the development or, like, use cases or things we found interesting? Yeah. So for now, mainly just focusing on the actual development
[00:23:29] Unknown:
and maintenance of the project, and then we'll talk about some of the interesting use cases after. I think for me, like, what I always find really challenging is that we are trying to secure systems where we do not have any access. Like, all these SecureDrop instances, servers, they're running inside, the organizations who are running them. And we as developers, like, have 0 access to those. So somehow, we have to make sure that those systems get updated and stays as secure as it should they should be. That's 1 of the biggest 1 in my mind. Yeah, Jane. Yeah. That's an ongoing challenge, especially because we're supporting,
[00:24:04] Unknown:
like, we have contracts with some news organizations to help support the instance. And then another issue is just designing a system while trying to intentionally not know too much about, how it is used.
[00:24:17] Unknown:
That's a kind of an ongoing issue. And as far as any sort of interesting or unexpected uses of SecureDrop or notable cases where it has proven beneficial, I'm wondering if there are any stories that you can share on that front. There's a recent case where we,
[00:24:33] Unknown:
or it was announced at Defcon this month, beginning of this month, that, apparently, the US federal government is going to use, SecureDrop in order to get security vulnerabilities. So this the the reason why they wanna secure up in that case is potential security researchers are concerned about retribution. And so if they could submit through SecureDrop, they could make sure that whatever agency is aware of the vulnerability and fix it, without them being identified.
[00:25:02] Unknown:
And there is the other story, which is about, like, someone wrote an anti diversity memo at Google, and it got leaked multiple times, multiple versions via secure drop to the agents, different organizations, which was a big news all across. Yeah. That 1 definitely took
[00:25:19] Unknown:
a while for people to get around it, and there was a lot of conversation and consternation on all sides of that conversation. And then in terms of the overall sustainability of the platform and the project, how do you approach any sort of required funding and man making sure sure that you have an appropriate level of staffing on the development side, and then also the overall process for user feedback to ensure that you're incorporating new features or system improvements that make sure that everybody who's using SecureDrop are getting the benefit that they want? Yeah. Totally. So
[00:25:54] Unknown:
in terms of sustainability of the project, SecureDrop has been really fortunate that the project is supported by Freedom of the Press Foundation. So, Kushal and I are both employed by Freedom of the Press Foundation. They took the project over, after Aaron Swartz, unfortunately, passed away, I believe, in 2012. And so, FPF, which is short for Freedom of the Press Foundation, has supported development for, several years since then. We've also been fortunate to get funding from, Mozilla open source support, which, supports a bunch of Internet freedom projects like Tor as well. And so thanks to their support and other, kind of grant based funding and small donors that donate to FPF, we've been able to keep, the project maintained.
In terms of user feedback, we get user feedback either through just our bug tracker like other projects. We have, like, a private support portal, that organizations that install SecureDrop can use to file tickets if there's an issue or if there's something that they want changed. And then we also do surveys and user testing, and we do reach out privately
[00:27:10] Unknown:
means for circumventing surveillance. I'm wondering if there have been any cases where you've had to deal with any sort of pushback from either governments or other organizations that are either trying to shut the project down or have some sort of influence over it. Not that I know about anything.
[00:27:29] Unknown:
Yeah. Yeah. I'm not aware of anything like that either. I mean, I think we have at least, we both started working on the project when it had already kind of become pretty mainstreamed, and a lot of big news organizations like New York Times, etcetera, were using it. And so I think it would be pretty controversial if, you know, a government agency were to kind of publicly go after SecureDrop,
[00:27:52] Unknown:
the project at this stage. And then in terms of the overall system maintenance, you mentioned that you have the Ansible playbooks that allow users to get it deployed. I'm curious how you publicize to the different agencies that there's a new release CVE or vulnerability that's present on the system to ensure that they're running the latest versions, particularly if you have any dependencies that have some sort of CVE or vulnerability that's present on the system to ensure that they stay up to date, and then particularly for long running instances, how you help them with any sort of system upgrades of the underlying operating system.
[00:28:30] Unknown:
So, like, all Secured of servers by default, they get, like, any security updates that comes out, from the Ubuntu as an operating system. And then, we also, like, if there is any changes from us or new version or new bug fix version, those will also get pulled into the servers and, deployed without any, like, intervention from the system administrators. So and, those servers regularly get rebooted every day, based on the time the sysadmins, decided. And so that and we do a lot of QA on those, updates to make sure that those updates can pull in any other actual security updates or any other kind of dependencies which required to be there. And as far as the operating system updates, like, we, did 1 recently. We moved out of trustee into Xennial, Ubuntu.
And for that, we actually, like, worked a lot on the messaging and making sure the administration, administrators get the proper steps and, like, help documents and everything so that they can, go through the certain steps to make sure that the transition happens without any hiccups. So, like, those all of those things together helps the systems to be updated. And then also as far as testing and verification, I'm wondering what that QA process looks like to ensure that you're not introducing bugs or potential regressions security vulnerabilities into the platform as you're preparing a release? SecureDrop is a free software project and, the source code, the bug, the bug trackers and everything is public. And you can, like, actually anyone wants to go and check, they will find the issues file for each of the release where we have a huge amount of, like, QA steps. Like, each and every parts of the project, we manually verify. And then, as far as, like, if you ask me as a developer, this is 1 of the best tested project as I have seen in my life as far as that, like, integration test cases, the kind of unit test cases we have in the project. And, like, for any kind of feature to go in, it actually gets verified by multiple reviewers.
And then all like we all like continuously running and executing those scripts and like the actual server to make sure that the server behaves the way it should. And, we have, like, 2 weeks of Yeah. Before every release. No. I was gonna say the exact same thing that we do a freeze 2 weeks before release,
[00:30:57] Unknown:
in order to test everything, and make sure that, you know, even though every new feature has test coverage, we still wanna test things manually, because some parts of the architecture are difficult to have automated tests for. So we have, like, tests for the web application. We have tests for the system state, using test infra. But for example, the full workflow of installing from Tails, the 2 servers, that's not fully tested. And so we do do that each,
[00:31:27] Unknown:
regular release. And multiple times. As far as your overall experience for each of you individually in on the project, what have been some of the most interesting or unexpected or useful lessons that you've learned in the process? Like, I think Jane also already mentioned, 1 of the things is that supporting,
[00:31:44] Unknown:
any project, where we do not have any kind of access, that was kind of difficult. And, like, may building a system which is which will be used by people who are not always so much into Linux or, like, friendly to the, our our in sense, like, the developer's way of life. So any building any system for users, keeping those users in mind is always a challenge.
[00:32:08] Unknown:
I guess for me, like, making sure, you know, for any system that has a large number of potential threats, making sure that time is being spent on the kind of lowest hanging fruit in a in a more rigorous way like we've done with the threat modeling process I described earlier is is so valuable because it's kind of like security nerds. Sometimes we wanna focus on, like, the most interesting, attacks that we can think of, and it it can be tempting to get drawn into those. But kind of having a more rigorous approach to, okay, the easiest thing that I an attacker could do is x. Like, let's make sure that we reduce the risk of this and come up with the mitigation is really valuable. And I haven't really seen too many projects of this type publicly present that information, kind of how they went about the threat modeling process, it would be cool to see that. We've shared some of our threat modeling, documentation in our public docs at docssecuredrop.org.
[00:33:00] Unknown:
And as far as any particular packages or libraries
[00:33:05] Unknown:
that have been most useful in the process of building SecureDrop. I'm wondering if there are any that are notable that you'd like to call out. The web application is Flask, and we also already mentioned Ansible. That's another application, like, huge application, and we use Molekule for our test and testing for testing part. And then, a Tor project is obviously the 1 of the biggest thing of the whole project, Tor and Tor and Tails. Jen? Yeah. For security automation, a project that we use, which is really great is Bandit,
[00:33:32] Unknown:
to do static analysis, which we run-in c I, Bandit and safety, so that we can, get, what we can fail c I when a c v is found in 1 of our dependencies. And if other issues are introduced in a PR, just reduces the amount of manual review. It's really great to in you know, easy to integrate and, probably useful for any project, not just 1 that's security sensitive. In terms of the future of the project, what are some of the new features or improvements
[00:33:58] Unknown:
or just overall work and effort that you have in store in the near to medium term, and any help that you are looking for from the community to improve it or add new capabilities.
[00:34:10] Unknown:
Sure. So I guess 1 of the challenges right now is that we've made it pretty easy for sources to share documents with journalists. They just need to download top browser and go to a website, basically. But a lot of that complexity has been offloaded to the journalist side, as, you know, it's described earlier with this kind of, clunky workflow. And so 1 of the things we've been working on is making it easier for journalists to check secure drops. So then instead of it taking maybe 30 minutes, it maybe could only take 5 minutes. And so we've been working on a project, for journalists, a workstation that combines the currently 2 separate work stations. So right now, we have this online workstation that's connected to the Internet that they used to download the documents. And then we have a separate workstation that's air gaps, that they used to read the documents.
And so we've been experimenting using cubes, which is a great project, and you should all check it out, which is basically a zen distribution where everything is running inside a VM. And so they also have this concept called disposable VMs, which is kind of perfect for a secured route because it's, the kind of situation where you could open a potentially malicious submission in this disposable VM. If it gets popped, it's fine. It's compartmentalized in the VM, modulo, Zen escapes, and then it's destroyed after years. And so we've been experimenting kind of architecting a kind of inter VM pipeline that would download documents, pass them to a VM that's running a nice GUI for the user. And then when the user clicks a button open document, it opens in this disposable VM. So that's, all the code for that is public on, our GitHub org freedom of press. And so if you're interested in helping out, probably the easiest place for people to get involved would be this GUI that I described, which is, written in Python. It's cute, and there's a lot of active development on that right now. Are there any other aspects
[00:36:04] Unknown:
of the secure drop project or the use cases that it enables that we didn't discuss yet that you'd like to cover before we close out the show? I don't think so. But if you are maybe interested in learning about the organizations,
[00:36:17] Unknown:
that if you have information you would wanna share, you should download Tor Browser and then go to securedrop.org/directory
[00:36:25] Unknown:
to get a list of, many of them. Alright. Well, for anybody who wants to get in touch with either of you or follow along with the work that you're doing, I'll have you each add your preferred contact information to the show notes. And so with that, I'll move us into the picks. And this week, I'm going to choose laser tag because I got to hang out with my kids yesterday and some of their friends and our friends, and we all had a lot of fun playing laser tag together. So it's not something I've really done in the past, but, turned out to be quite enjoyable. So if you're looking for something to get up and move around and have fun doing it, it's worth taking a look at that. And with that, I'll pass it to you, Kushal. Do you have any picks this week?
[00:37:03] Unknown:
Oh, I'm actually waiting for not not for this week, but within few weeks. Like, Edward Snowden's, book is coming out, so I'm just waiting for that. Alright. And Jen, do you have any picks this week? Do I have any picks?
[00:37:16] Unknown:
I'm wracking my brain. I don't know that I do, but I will definitely check out Edward Snowden's book released September 17th.
[00:37:23] Unknown:
Alright. Well, thank you both for taking the time today to join me and discuss your work on SecureDrop. It's definitely an interesting project and an interesting problem space. So I appreciate your efforts on that, and I hope you enjoy I hope you each enjoy the rest of your day. Thank you. Thanks, Tobias. Thank you for listening. Don't forget to check out our other show, the data engineering podcast at dataengineeringpodcast.com for the latest on modern data management. And visit the site of pythonpodcast.com to subscribe to the show, sign up for the mailing list, and read the show notes.
And if you've learned something or tried out a project from the show, then tell us about it. Email host at podcastinit.com with your story. To help other people find the show, please leave a review on Itunes and tell your friends and coworkers.
Introduction and Sponsor Message
Interview with Jen Halsby and Kushal Das
Jen and Kushal's Introduction to Python
Overview of SecureDrop
Challenges in Modern Journalism
Workflow of SecureDrop
Security Measures for Air-Gapped Computers
User Experience and Security
System Architecture and Python Usage
Maintenance and Security Protocols
Development Challenges and User Feedback
Sustainability and Funding
Government and Organizational Pushback
System Updates and QA Process
Lessons Learned and Useful Libraries
Future Improvements and Community Involvement
Contact Information and Closing Remarks
